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Reverse Engineering Primer 



Reverse Engineering techniques can be 
devided into two categories: Static and 
Dynamic Analysis 

Static Analysis 

• Techniques which do not involve running the code 

• Disassembly, file structure analysis, strings, etc. 

Dynamic Analysis 

• Techniques which involve running the code 

• Behavioral analysis 
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Approaches to Dynamic Analysis 



Network Monitoring 

• Isolated Physical Networks 

• Virtual Networks 

Hardware Emulation 

• Norman Sandbox et al. 

Kernel-Level Monitoring (SSDT hooks) 

• Sysinternals' Process Monitor 

Debuggers 
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Kernel-Level Monitoring 
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Kernel-Level Monitoring 
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Calls CreateFileQ 




System Call Performed 



Kernel 



Procmon.sys 



3Z 



ZwCreateFileQ 
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Kernel-Level Monitoring 



Advantages 

• Captures every system call 

• Can't be avoided from userland 

Disadvantages 

• Only captures functions implemented as system 
calls 

• Not every important function call in the Win32 API 
is implemented as a system call 

• Tools don't differentiate between process 
housekeeping and calls from usercode 

• Calls to internal DLL's cannot be observed 



K 



ANDIANT 




Process Monitor 



' 

£j' Process Monitor - Sysinternals: www.sysinternals.com 
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File Edit 


Event Filter Tools Options 


Help 
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Time of Day Process Name 


PID Operation Path 


Result 


Detail 


3 


4 


02:02.4534801 PM """"notepad.exe 


4930 £R Process Start 


SUCCESS 


Parent PID: 2364 


4 


02:02.4534954 P M "" ; notepad .exe 


4930 3T Thread Create 


SUCCESS 


Thread ID: 5452 


4 


02 02 4575638 P M J notepad .exe 


4980 Eft Load Image C:\Windows\Systern32Viotepad.exe 


SUCCESS 


Image Base: Htff&GDDDD. Image Size... 




4 


02:02.45771 93 P M """ notepad .exe 


4980 A Load Image C:\Windows\System32\ntdll.dll 


SUCCESS 


Image Base: 0x77300000. Image Siz... 




4 


02:02.457891 0PM , ; notepad .exe 


49SD StCreateRle C:\Windows\Prefetch\NOTEPAD.EXE-. 


. SUCCESS 


Desired .Access: Generic Read, Disp... 




4 


02:02.4579249 P M " "' notepad .exe 


45SD StQuery Standard I ... C : V.Vindo ws\Pref etch \N0TEP AD . EXE-. 


. SUCCESS 


.Allocation Size: 20.480, EndOfRle: 1... 




4 


0202.4579644PM ''notepad.exe 


4930 Si Read Rle C :\Windo ws\Pref etch\NOTEP AD . EXE-. 


.SUCCESS 


Offset: 0, Length: 19.466, Priority: N... 




4 


02:02.4580232 P M '' "' notepad .exe 


4930 gtQoseRle C:\Windows\Prefetch\NOTEPAD.EXE-. 


. SUCCESS 






4 


02:02.458091 5PM ""; notepad .exe 


45SD StCreateRle C: 


success 


Desired Access: Read Attributes. Wr... 




4 


02:02.4581 422 P M '"""" notepad .exe 


45BD ;H^Querylnformatio...C: 


SUCCESS 


VolumeCreationTime: 6/8/20095:05... 




4 


02:02.4581 809 P M '"" notepad .exe 


45SD StRleSystemControlC: 


success 


Control: FSCTL_FILE_PREFETCH 




4 


02:02.4583023 P M '""""* notepad .exe 


4930 StCreateRle C:\Windows 


SUCCESS 


Desired .Access: Read Data/Ust Dir... 




4 


02:02.4583420 P M '"'' notepad .exe 


45SD St Set Basic Inform... C:\Windows 


SUCCESS 


CreationTime: -1, LastAccessTime: -... 




4 


02:02.4583825 P M '"" notepad .exe 


45SD StQuery Rle Intern... C:\Windows 


suozess 


IndexNumber: 0x1 00000000016a 




4 


02:02.45841 07 P M '"""* notepad .exe 


45BD St Rle SystemContral C:\Windows 


END OF FILE 


Control: FSCTL_FILE_PREFETCH 




4 


02:02.458451 2PM '"" notepad .exe 


4930 StQoseRle C:\Windows 


success 






4 


02:02.4588790 P M """ notepad .exe 


4930 StCreateRle C:\Windows\System32 


SUCZESS 


Desired Access: Read Data/Ust Dir... 




4 


02:02.45891 77 P M '"" notepad .exe 


4930 St Set Basic Inform... C:\Windows\System32 


SUCCESS 


CreationTime: -1, LastAccessTime: -... 




4 


02:02.4589421 PM '""notepad.exe 


49BD StQuery Rle Intern... C:\Windows\System32 


SUCCESS 


IndexNumber: Ox10000000004db 




4 


02:02.4589692 P M I notepad .exe 


4930 St Rle SystemContral C:\Windows\Sy5tem32 


END OF FILE 


Control: FSCTL_FILE_PREFETCH 




4 


02:02.4590365 P M notepad .exe 


4930 StQoseRle C:\Windows\System32 


SUCCESS 






4 


02:02.4592308 P M '"" notepad .exe 


49SD St Create Rle C:\Windows\winsxs'-amdG4_microsoft.w 


..SUCCESS 


Desired .Access: Read Data/Ust Dir... 




4 


02:02.4592856 P M """": notepad .exe 


49SD ^ Set Basic Inform... C:\Windows\winsxs'-amdG4_microsoft.w 


..SUCCESS 


CreationTime: -1, LastAccessTime: -... 




4 


02:02.4593086 P M " "' notepad .exe 


49ED StQuery File Intern . . . C : \Windo ws\winsxs\amd 64_microsoft .w 


..SUCCESS 


IndexNumber: Ox1000000001a1c 




4 


02:02.4593446 P M """"; notepad .exe 


49BD ^ Rle SystemControl C : \Windows\winsxs\amd64_microsoft .w 


..SUCCESS 


Control: FSCTL_FILE_PREFETCH 




4 


02 02.4593728 P M ' ' notepad .exe 


4930 StCloseRle C:\Windows\winsxs^md64_microsoft.w 


..SUCCESS 






4 


02:02.45951 96 P M j notepad .exe 


45ED StCreateRle C:\Windo ws\Systern32\ntdll.dll 


SUCCESS 


Desired .Access: Read Data/Ust Dir... 




4 


02:02.4595530 P M J notepad .exe 


49SD St Set Basic Inform... C:\Windo ws\System32\ntdll.dll 


SUCCESS 


CreationTime: -1, LastAccessTime: -... 




4 


02:02.4595343 PM ) notepad, exe 


45SD StQueryAttributeT. . . C :\Windows\System32\ntdll .dll 


SUCCESS 


.Attributes: A, ReparseTag: 0x0 




4 


02:02.4596095 P M / notepad .exe 


45SD StQuery File Intern... C:\Window5\System32VTtdll.dll 


SUCCESS 


IndexNumber: 0x1000000009d27 




4 


02:02.4596344 P M """"; notepad .exe 


45SD S^Create Rle Mapp . . . C:\Windows\System3Z-JTtdll .dll 


FILE LOCKED Wl. 


. SyncType: SyncTypeCreate Section,... 




4 


02:02.4596550 P M """"" notepad .exe 


4930 S^QueryStandard I . . . C:\Windows\System32VTtdll .dll 


SUCCESS 


AJIocationSize: 1.560.576, EndOfRle... 




4 


02:02.4597093 P M '"" notepad .exe 


49SD S^Create Rle Mapp . . . C :\WindQws\System32\ntdll .dll 


SUCCESS 


SyncType: SyncTypeOther 




4 


02:02.4598263 P M '"" notepad .exe 


4930 StCreateRle C:\Windows\System32\kemel32.dll 


SUCCESS 


Desired Access: Read Data/Ust Dir... 




4 


02:02.4599233 P M '"""" notepad .exe 


4930 StSet Basic Inform... C:\Windows\System32Nkemel32.dll 


SUCCESS 


CreationTime: -1, LastAccessTime: -... 




4 


02:02.4599478 P M '"" notepad .exe 


4930 StQueryAttributeT. . . C:\Windows\System32Nkernel 3-2.dll 


SUCCESS 


Attributes: A, ReparseTag: 0x0 




4 


02:02.4599698 P M '"" notepad .exe 


4930 StQuery Rle Intern... C:\Windows\System32\kemel32.dll 


suozess 


IndexNumber: Dx1 DDDOOOO0Fd95 




4 


02:02.4599942 P M '"" notepad .exe 


4930 StCreate File Mapp . . . C:\Windows\System32\kemd32.dll 


FILE LOCKED Wl. 


. SyncType: SyncTypeCreate Section,... 




4 


02:02.46001 05 P M '"" notepad .exe 


4930 StQueryStandand I . . . C:\Windows\System32\kemel32.dll 


suozess 


AJIocationSize: 1.212.416, EndOfRle... 


-| 


Showing 793 of 132,735 events (0.59%) 


Backed by pagefile 
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Process Monitoring via Debugging 



Advantages 

• Debugger can trap any function call, not just 
system calls 

• Trapped calls are more likely to be highly relevant 
to the program's operation 

Disadvantages 

• Have to act as a debugger 

• Susceptible to countless anti-debugger techniques 
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Inline Hooks 



Advantages 

• Can trap any function call, not just system calls 

• Trapped calls are more likely to be highly relevant 
to the program's operation 

• Not operating as a debugger 

• No device driver required 

Disadvantages 

• More of a pain in the #@/ to implement 
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Monitoring with Inline Hooks 




Calls CreateFileQ. 



Hoo 
Handler 



Kernel32.dll 
Ntdll.dll 



System Call Performed 



SSDT 
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Implementing Inline Hooks 



1. Find a function of interest 

2. Disassemble the beginning of the 
function 

3. If possible, overwrite the beginning bytes 
of the function with a jump or call 
instruction 

4. Implement a handler for the hooked 
function 
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Why Disassemble? 



■ If you attempt to hook every function from 
a DLL, for example, you might run into a 
function such as the one below 

■ Inserting a 5 byte jump or call would write 
beyond the end of the function. © 

some function : 



31 CO 
C3 
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A Successful Hook Install 



original_f unction 



18 00 00 00 




hooked_f unction 
E9 E4 7C FF FF 
18 00 00 00 
31 C9 



jmp <handler> 
; unused 
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What to do with hooked functions. 



Observe and Report 

• Collect data about the current function call by 
gathering data from stack and report to console 

• Execute any instructions overwritten from the hook 

• Jump back to the next instruction in the hooked 
function 

Intercept and Emulate 

• Perform a specified action Instead of calling the 
intended function 
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Roll-your-own Sandbox 



Trap gethostbyname() to always return a 
fixed IP address. 

A pseudo-handle interface to allow fake 
reads and writes to files and netwok 
sockets. 

• Trap connect() to connection to a pseudo-socket. 

. CreateFile(), ReadFile(), WriteFile(), 
MapViewOfFileQ... 
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API Thief 



Launches target process in a suspended state 

Injects a DLL into the process. 

The Injected DLL hooks all Win32 API functions 
before the target process is resumed 

API Call monitoring can be used simply with a 
process monitor-style console 

Imbedded python can be used to write custom 
handlers for specific hooked functions 



Obtain API Thief at www.mandiant.com 
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API Thief Demonstration 



Basic Process Monitoring 



Basic Interception (gethostbyname) 
Pseudo-Handles demonstration 
Automated Unpacking with API Thief 
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